Mastering GPO Troubleshooting: The Ultimate Guide for IT Admins Using GPOZaurr

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] we just finished a series on understanding Active Directory Group policies and it's a complex topic what we're going to do now is jump from that into troubleshooting so we're going to be looking at troubleshooting these very complex group policies I'm going to be using a Powershell module that just does a fantastic job of walking through the fundamentals of troubleshooting group policies we're going to be using a Powershell module that's found in the Powershell Gallery it is called Group Policy eater is called GPO Z z a uur r you can also go to the GitHub site and the gentleman who has written this module has made it fully available open source you can take a look at everything that he has done in this module the module is extremely common sense and the reason I'm going to use this module for troubleshooting gpos is because whether you use the module or not the process the steps the overall Concepts that he is using for this module are the very Concepts and steps you do for any GP troubleshooting but hopefully most of you will be able in your organization to use this GPO troubleshooting module and reporting tool and you'll find it extremely helpful now the gentleman who wrote this module I cannot pronounce his name he is in Poland he has his own company he has also done a like Powershell module for active directory which I hope to actually look at that module in troubleshoo active directory remember everything is going to be in the video notes so you don't have to worry about did I cover every element in this introduction because you can download the video notes everything will be in there he has a company in Poland called evotech they have a lot of great information about uh material that they have available most of it is again downloadable his material is very well worth checking out now what do you need to get started you need to have arat installed on your administrative workstation that is the remote administrative tools for active directory which includes Group Policy active directory users and computer sites and services Etc so you need to have rstat installed then via Powershell go ahead install his Powershell module once you have done that you're ready to go loaded our components let's go ahead and execute the single command and let's run the test and it runs a whole series of tests gives us information information about each of those tests how long it it runs when it starts when it ends and then it's going to give us an HDML report and now it's generating the report so it doesn't take that long now that depends on your Enterprise how complicated your bandwidth all that will impact how fast this set of Powershell scripts will run now our HTML report starts with Report was generated on what day and what time and then we have a series of Idols broken group policies broken policy broken links Group Policy Owners Group Policy permission consistencies and we're going to walk through each and every one of them because this is how you're going to troubleshoot group policies we're going to start with broken group policies and we're going to look at what causes the problem how this shows us the problem and then what steps we can take to start building our documentation and solving problems that this indicates to us the way he has generated his HTML reports for each of these policy Diagnostics and an analysis titles the method he create uses in his HTML reports are just like you're going to see two top panes one with information results on each of the tests then a graph typically on the right Pane and then below is a series of rows and columns that you can then export out in Excel you can copy you can do a CSV you can create a PDF very very nice so you can document the information that he discovered in this test and then down below at the bottom actually is a stepbystep series of Powells we can go look at this report again notice step two if I go next I can then use a series of Powershell scripts to prepare report and if I go next I then get ready to create backups and it will actually have a series of Powershell scripts that you can back up these gpos and go next fix gpos not available in the active directory and so he gives you some Powershell scripts that you can start fixing the problems that it discovered this is quite amazing and then continue on go next and there's a series of Powershell scripts you can see I can highlight them here there's another series here and it gives you information on each of those and you can use them as you feel comfortable and then finally go next fix gpos of wrong object classes and we'll get into that and again power shell scripts that will help you solve those problems and then next you create a verification report on how this set of fixes and Parell scripts did they fix the problem did they not fix the problem problem do you need to go back all of that in this Powershell module broken gpus come about by basically understanding that gpus are basically two bits of information one we have metadata stored in active directory in the domain partition and then we have a series of files and folders that are placed in a guid folder that's unique to every gopo and there's there stored in the cisv folder that is also shared to the network with the name cisv so there's two CIS Falls here keep those straight every time we create a group policy we have files and folders that are put on the CIS folder we also have metadata put in active directory this data can get unsynced so broken group policies can happen really easy when you have the active directory metad data out of sync with the files and folders on the cisf fall location what causes that well a number of things can cause that one usn roll backs and active directory can cause already deleted group policies to reappear and yet the cisf fall data is not there so it shows up in the metadata but it's not in the CIS fall folder Group Policy deletion if you are deleting group policies and they're across multiple domains portions of it can be deleted in one domain but not in another domain permission issues can impact that deletion where the person who is deleting a group policy has rights in one domain but doesn't have it in the other domain or in the one domain they don't have complete rights in the permission structure of both their active directory and their CIS fall folder and then of course replication failed so now we have replication of the files and folders is not in sync with the active directory metadata so all those things break gpos now before we go any further make sure that you thoroughly validate that you're able to run these type of modules on your production Network that is a responsibility that every one of you have to make I ran it on mine but it's my my production Network the module is not just readon it can delete change edit Etc it's only been tested on english-based active directories the author deliberately put in some safeguards for example as we get into fixing gpos not available in active directory as I showed you just a minute ago as we walk through the various steps after you've done your backup you can run these scripts and notice they have a whatif statement the whatif statement just allows you to run the the commands and see how it results it does not change anything so if you want it to change things you have to remove the parameter Dash what if he also added a feature called Dash limiting process and allows you to put a value there again these are just safety mechanisms so that nothing is going to change or modify until you remove or add values to the Limit processing or remove the dash whatif so whatif parameter is just a safety mechanism if you add it into a PO shell command it allows you to understand the potential impact of that command without actually executing it so it will display a message describing what the command would do if it were to run without making any changes to your system of data so he's added some safeguards into this module so when we ran this module one of the potential problems that can cause broken or or orphan group policies is what they call object class this is an attribute assigned to that metadata if that object object class attribute is incorrectly set or it's corrupted for any particular GPO it can lead to identification issues within active directory active directory may not recognize the object as a valid GPO leading to processing or replication problems in the chart if you see purple items in your broken orphan group policies it's indicating that you have an object class attribute issue in your health state of group policies that was in your rows and Columns of data you can see you have a column called object class and it shows you for every GOP in your CIS fall what object class is being assigned so make sure you check that because that's where you're going to have to fix that problem to get that GPO to work again let's look at the remediation steps as we have run our first test in my case I have no errors to fix but in your case you may but what are the steps to fix the problem in our first test module we're going to prepare the environment and you can run these power shell scripts we're going to go next you're going to prepare a report again it's pretty much the same thing as we have right now we'll come down here and next we're also going to make a backup copy and over here I have a folder that I actually ran that script and it created a backup of all my gpos so I've got my cisf fall folder saved on my administrative desktop now we're going to go next and here's where we want to be more careful so we're going to have three steps to fix things one fixed gpos is not available an active directory then we're going to go next and I'll go into each of these in detail fixed GPO is not available on CIS fall and then last go next we're going to fix gpos with the wrong object class so let's go back and fix gpos is not available in active directory I am deliberately slowing down so that we can understand understand what this HTML report is telling us what these scripts want us to do I want to solve a broken GPO and here's my problem is I have no data in active directory but I have a goid folder with stuff in it on the cisf fall G this GOP will not work so we have recognized that we don't have any data in active directory but we have a CIS fall folder that really is not having the corresponding data in ad so we're gonna get rid of this go that's in the cisf fall folder that's what this step is going to do so we're going to be using this script right here we're going to be using first this script and it's we're going to leave the dash whatif so that we can execute it and take a look and verify that yeah there are problems if you're in a situation where you have a multi-domain scenario or you have limited domain admin credentials you can then use this script here we can come down here here and use the same commands and this time use limited processing and this will allow us to based on the value we put here in this case the value two it's going to delete two of those gpus and stop and then we can go back and run it again take a look and see what's happening this just prevents a mass deletion so if I didn't have that limiting process and I said okay execute this script it's just going to mass delete all the gpos in cisv Fall that don't have any data in active directory you may not want to do that mass deletion so here it's giving you that limitation by putting a two or a one or whatever you want in there it's just going to do that many and then you can run it again and again and again now this did have a backup step which really keep in mind if I have no data in active directory and I've got a good folder in my cisf there's no recovering of this gopo so you don't have to do a backup in this that he has the steps in there to do a backup but keep in mind there's not going to be any restoration of data because you don't have any anything in your active directory regarding that goodd folder nevertheless you can see and Below when we're actually removing that data he does have again an effort to back up any good folder that you're going to delete he'll give you an opportunity to back it up so let's look at the next step which is fix gpos not available on fall what is this problem this is where we have active directory data on that GP but we come over here to the cisf fall folder and there's no good folder which has critical information for that GPO in active directory so now we've got missing CIS fall we got data and active directory so we're going to take this step to fix that problem again we're going to do the what if just to see and when you are ready to go ahead and move forward then you can come down here and you can limit how many of those you have to fix if it's 10 of them you can just put limiting process to instead of two to one and just run them one at a time over and over until you've cleaned up all your broken gpos our last fix and this is a rare situation where you have an object class attribute corruption or it's missing and your gpos are not going to run if you look at your spreadsheet of your gpos and you look under the column of object class and you see that it's missing or it's corrupt or it's not correct it's not going to run so this script will run against your gpos in the what if and once you decide okay I've definitely identified those gpos that have the object class issue then I can run the script down here and limit to how many let's say I have two that are object class I could leave the limiting processing at two or change it it to one and do one at a time check it run it again then you can go check your overall health of your group policies now that you've made these [Music] changes [Music] [Music] what do we mean by Group Policy broken links this primarily happens when we improperly delete a GOP when we properly delete a gopo we remove the metadata out of active directory and the files in the cisf fall folder and all of that is removed unfortunately if anything Still Remains after that attempt to delete gpos you've got broken links if the GP is created and then linked within the same domain you'll always get a clean deletion but if a GPO is linked to another domain this can leave a broken link also be aware the Powershell commandlet remove dgo does not handle site link deletions so that also can cause dead links to be stuck on a site until those are manually deleted just be aware if you're using Powershell to delete gpos sometimes it can leave those broken links I've ran the Powershell module and I'm on the test called Group Policy broken links you can see I have no broken links so there's nothing in the graph there's nothing indicated in the informational section of the HTML report I have no data in the spreadsheet and I have some steps I could take if I wanted to fix this problem again I can come over here prepare look at that environment again I can prepare a report if I need to and then this step here where we actually remove broken links is where we're going to run a command to remove those broken links we know that the power show script or the module section that removes those broken links contains the dash what if so you you're not going to do anything but you can go look and see those broken links and you can see which ones are going to be removed now if you remove the dash whatif it's going to remove them then you can go ahead remove the whatif and execute the same command without the whatif and it's going to remove those broken links be sure to run a report again to make sure that everything looks good let's take a look at another problem with gpos and that is the ownership of those gpos by default GP creation is usually maintained by domain admins or Enterprise admins so as long as you keep that consistency your ownership issue will not be a problem so here I've run the group policy owner test for this Powershell module and you can see I have 13 group policies that are under the ownership of the domain admin but I have two that are under the buil-in administrator account why if we look at active directory users and computers under users notice there is a group called Group Policy Creator owner if I go look at membership go to properties look at who's a member it's the local built-in administrator who's in there so I have two policies that were created under the built-in administrator ownership that's got to be fixed which two of my group policies are under the ownership of my built-in administrator the two default ones when I install server and I promote it to an active directory I get two default group policies one's called the default domain controllers policy and the default domain policy and both of those default policies are under the built-in local administrator all the rest of the gpos I created under domain administrator rights that's what we want all our gpos under so when I run my test it looks at all the gpos and looks at who owns them and if there's any of the gpos that are not owned by domain administrators or Enterprise administrators it highlights them now is that going to break the world no but you probably should get them all under domain admin ownership here's my data I can see all my group policies and I can see the two that were def fault that were actually created using the built-in local administrator again the the fix is pretty straightforward I can run the Powershell script that will actually go ahead and turn those ownership from the built-in to the ownership of the domain administrator so let me go ahead and clear my screen I'm going to remove the dash what if and it should go ahead and change that ownership I'm going to go back and add the what if and see if all is clear and everything is fine now if I run my report so now that I've supposedly fix the problem I'm going to clear my screen go ahead and run my report and now you can see my graph is all green there's no group policies that are under different ownership of different individuals everything is green in my data or my spreadsheet and I'm clean and ready to go so here you actually saw me fix a problem highlight B by the diagnostic and cleaning it up with the Powershell script now we've looked at three of just 15 of the analysis that this Parell module runs we've looked at how to solve some of those problems but more importantly this module is actually walking you through how to troubleshoot gpos we've looked at broken gpos broken links ownership and as we finish the rest of these you'll have a clear idea of what I need to do to troubleshoot Group Policy objects feel free to put your comments in the comment section of this video your feedback is very very important to us if our Channel helps you and it's the content that you're looking for become a member it's a great way to support the channel it's $2.99 per month membership support is really appreciated coming up part two group policy [Music] troubleshooting [Music] [Music]

Info

Channel: TechsavvyProductions

Views: 1,693

Rating: undefined out of 5

Keywords:

Id: y4aDvFbNLcw

Channel Id: undefined

Length: 23min 47sec (1427 seconds)

Published: Sat Dec 30 2023